002.itsecurity bcp v1
TRANSCRIPT
Information Security &
Risk Management
Presented by
Mohammad Ashfaqur RahmanCompliance Professional
www.linkedin.com/in/ashfaqsaphal
Objective
● Common method and types of attack● Layered Approach● Security Objective● Responsibilities● Risk Management
Common Cyber Attack
● Malware– code with malicious intent that typically steals
data or destroys something on the computer– introduced to a system through
• email attachments• software downloads or • operating system vulnerabilities
Common Cyber Attack
● Malware– code with malicious intent that typically steals
data or destroys something on the computer– Viruses : make a computer "sick"– Spyware : monitors or spies on its victims– Worms : fulfill a nefarious
Common Cyber Attack
● Malware Infection Techniques– Phishing – Spear phishing – Drive by Download– Fake Anti-Virus Software– Ransomware– Drive by Email– Web Inject
Common Cyber Attack
● Phishing– Social engineering + widespread email
Common Cyber Attack● Drive by Download
– unintentional download of malicious software
Common Cyber Attack● Fake Antivirus
– Alarming user with false infection warning
Common Cyber Attack● Ransomware
– Encrypt your computer data and ask you to pay money
Common Cyber Attack● Drive-by Email
– Open email or view email preview screen
Common Cyber Attack● DOS attack
– a denial-of-service (DoS) attack is an attempt to– make a machine or network resource unavailable
to its intended user● DDOS attack
– attack source is more than one–and often thousands of-unique IP addresses.
DoS and DDoS
Layered Approach● Also known as “defense-in-depth approach”● implement different layers of protection● spectrums can range from the
– programming code– the protocols that are being used– the operating system, and the application
configurations– through to user activity– the security program
Layered Approach● Example : protecting file agent
– Configure application, file, and Registry access control lists (ACLs)
– Configure the system default user rights– Consider the physical security of the environment– Place users into groups policy as required– A strict logon credential policy– Removal of shared ID– Implement monitoring and auditing of file access– Actions to identify any suspicious activity.
Security Objectives - CIA● Confidentiality : “Preserving authorized restriction on
information access and disclosure, including means for protecting personal privacy and proprietary information.” (44 USC Sec. 3542)
● Integrity : “Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.” (44 USC Sec. 3542)
● Availability : “Ensuring timely and reliable access and use of information.” (44 USC Sec. 3542)
Security Objectives - CIA
Confidentiality
IntegrityAvailability
Information Security
Preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information
Ensuring timely and reliable access to and use of information.
Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
Security Objectives - CIA
The Best Practices● Confidentiality● Integrity● Availability● Need-to-know● Least privilege● Separation of duties● Job rotation ● Mandatory vacation
Security Control Points● Operational and Physical Controls.
– Operational Security (Execution of Policies, Standards & Process, Education & Awareness)
• Service Providers: IA, Program Security, Personnel Security, Document Controls (or CM), HR, Finance, etc
Security Control Points● Operational and Physical Controls.
– Physical Security (Facility or Infrastructure Protection)
• Locks, Doors, Walls, Fence, Curtain, etc.• Service Providers: FSO, Guards, Dogs
Security Control Points● Technical (Logical) Controls.
– Access Controls, Identification & Authorization, Confidentiality, Integrity, Availability, Non-Repudiation.
• Service Providers: Enterprise Architect, Security Engineer, CERT, NOSC, Helpdesk.
Threat, Risk, and Countermeasure
Threat Agent An entity that may act on a vulnerability.
Threat Any potential danger to information life cycle.
Vulnerability A weakness or flaw that may provide an opportunity to a threat agent.
Risk The likelihood of a threat agent exploits a discovered vulnerability.
Exposure An instance of being compromised by a threat agent.
Countermeasure /safeguard
An administrative, operational, or logical mitigation against potential risk(s).
Threat, Risk, and Countermeasure
Information Security Implementation
Security System Development Life Cycle
● The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project
● Identification of specific threats and creating controls to counter them
● SecSDLC is a coherent program rather than a series of random, seemingly unconnected actions
Security System Development Life Cycle
SSDLC - Investigation
● Identifies process, outcomes, goals, and constraints of the project
● Begins with enterprise information security policy● Organizational feasibility analysis is performed
SSDLC - Analysis
● Documents from investigation phase are studied● Analyzes existing security policies or programs, along
with documented current threats and associated controls● Includes analysis of relevant legal issues that could
impact design of the security solution ● The risk management task begins
SSDLC - Logical Design
● Creates and develops blueprints for information security● Incident response actions planned:
– Continuity planning– Incident response– Disaster recovery
● Feasibility analysis to determine whether project should continue or be outsourced
SSDLC - Physical Design
● Needed security technology is evaluated, alternatives generated, and final design selected
● At end of phase, feasibility study determines readiness of organization for project
SSDLC - Implementation
● Security solutions are acquired, tested, implemented, and tested again
● Personnel issues evaluated; specific training and education programs conducted
● Entire tested package is presented to management for final approval
SSDLC - Maintenance and Change
● Perhaps the most important phase, given the ever-changing threat environment
● Often, reparation and restoration of information is a constant duel with an unseen adversary
● Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
Security Professionals
● Wide range of professionals required to support a diverse information security program
● Senior management is key component; also, additional administrative support and technical expertise required to implement details of IS program
Information Security Project Team
● A number of individuals who are experienced in one or more facets of technical and non-technical areas:
– SME– Team leader– Security policy developers– Risk assessment specialists– Security professionals – Systems administrators– End users
Additional Information : Data Ownership
● Data Owner– responsible for the security and use of a particular
set of information● Data Custodian
– responsible for storage, maintenance, and protection of information
● Data Users– end users who work with information to perform
their daily jobs supporting the mission of the organization
It is your turn again
The Final Word